CVE-2024-45590
body-parser vulnerable to denial of service when url encoding is enabled
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-09-02 CVE Reserved
- 2024-09-10 CVE Published
- 2024-09-10 CVE Updated
- 2024-09-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-405: Asymmetric Resource Consumption (Amplification)
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce | X_refsource_misc | |
| https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-45590 | 2024-11-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2311171 | 2024-11-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Expressjs Search vendor "Expressjs" | Body-parser Search vendor "Expressjs" for product "Body-parser" | < 1.20.3 Search vendor "Expressjs" for product "Body-parser" and version " < 1.20.3" | en |
Affected
| ||||||